Security is kind of a funny thing for IT managers and end users. They can’t touch it or see it. They’re not always sure it’s even doing anything. They add a lot of security and … nothing happens!

Security may be hard to grasp, but it’s still critical to Samsung’s enterprise and government customers. Samsung has a reputation for being at the forefront of Android security, and that means CIOs trust us to build strong, reliable security products.

The Samsung Knox team has spent eight years refining our mobile security platform, working in close partnership with customers with complex, serious security requirements. We don’t just work in theoretical security; we are the experts at taking high-security protections from the defense industry and balancing them with the “ease-of-use” and productivity needs of business users and IT administrators.

Downtime is money after all, and so we design business devices and products that anyone can use, instead of consumer-centric devices that leave businesses endlessly fiddling. That refinement has taken time and a lot of cooperation with enterprises of all shapes and sizes. But it’s resulted in Samsung hardware and software that’s “rock solid” when it comes to security, and that gives enterprises a broader set of controls to meet complex device management needs.

Today, business customers can take advantage of many of the core Knox capabilities through our cloud-based management tools, including the Knox Manage enterprise mobility management (EMM) solution, Knox E-FOTA (for managing firmware updates) and Knox Configure (for device customization).

But for enterprises with more complex security and management needs, Knox Platform for Enterprise (KPE) is the offering which provides access to our most advanced features and capabilities.

Built-in security

KPE isn’t a product you add to your Android phones to increase security. Instead, KPE is a security platform built directly into our Android product line. All of our enterprise customers enjoy increased security from Knox, even if they don’t activate its most advanced features. KPE’s security starts with the hardware and goes all the way up.

For example, Samsung Galaxy devices were the first to include a hardware-backed key store. That may sound obscure, but it’s an extra edge that security experts agree helps stop credential theft and data loss for everyone from enterprises to Bitcoin traders. And the key store is just one of dozens of Knox innovations that make our smartphone and tablet hardware more secure.

The most advanced parts of KPE are there to support our enterprise customers who have the most demanding security requirements. Mobile devices aren’t snazzy accessories anymore; they’re becoming the new endpoint for many enterprise applications. That means that we at Samsung have to close the gap between what enterprises expect for security and what’s available in off-the-shelf Android. Smartphones have to evolve to match what enterprise IT managers expect from their desktop devices.

I like to divide the parts of KPE into four bins: data protection, device management, device monitoring and credential management. Here are some examples of each to help explain what KPE is and why it’s an important toolset for enterprise IT security professionals.

Data protection

One differentiating feature in KPE is dual encryption for stored data — what we call Dual Data-at-Rest (DAR). When data is encrypted on Knox devices, enterprise IT managers have the option to double-encrypt it. We’ve seen time and time again that flaws in encryption algorithms can open up holes for data loss, and security breaches that leak user passwords can lead to attackers being able to impersonate employees and access sensitive data. Having two separate layers of protection means that a single security breach won’t give an attacker access to your data. These aren’t hypothetical issues; they’ve hit us in the security business over and over again. We can’t predict the next attack, but we can build systems that have backup protections to hold us over until breaches are resolved.

Dual DAR encryption is certainly an enterprise-focused feature. A home user may not be concerned about sophisticated attacks on their data, but a CISO definitely is. Enterprise devices need to be able to handle the real threats that affect the bottom line. This robustness comes from holistic features that simplify how IT handles threats and mitigates risks. It’s not for everyone, but KPE and Dual DAR ensure that your employee and business data can handle the constant stream of attacks without being the next security breach headline.

Credential and certificate management

Credential and certificate management is another KPE security edge that enterprise security managers have been asking for. Everyone is trying to move away from passwords and toward more secure authentication methods, but the shift isn’t simple. Key tokens, smart cards, digital certificates — each has benefits, but each also requires hardware and software compatibility to work properly. An IT manager may love some new, easy-to-use authentication solution, but unless the enterprise business apps they depend on daily supports it, they’re out of luck!

How to build an effective incident response plan

White Paper

Get this free guide on how to respond to mobile security breaches — or thwart them altogether. Download Now

KPE’s Universal Credential Management (UCM) provides a framework that allows new authentication solutions to work without requiring every software vendor to rewrite their code to support it. Android apps can continue using standard Android APIs for credential access, while IT can use UCM to “bolt on” new credential storage solutions, like tap-and-go employee badges. Application vendors don’t have to worry about providing support and updates for every hardware solution out there, and enterprise IT managers have the flexibility to drop in sophisticated new authentication systems without fear of application incompatibility.  It removes complexity, which lowers support costs and downtime due to compatibility issues.

Device monitoring and management

Device monitoring and management are two other areas where KPE helps enterprise IT meet their expectations. When it comes to device monitoring, we deliver information via our Network Platform Analytics engine that isn’t available from any other Android phone. Threat management leaders like Zimperium can use that information to deliver the kind of forensics and analytics information that CIOs have come to expect from desktop endpoint security tools, but which hasn’t been available on mobile devices.

In addition to working with companies like Zimperium to leverage Knox features, we also expose many KPE features directly to our enterprise customers through a system called Knox Service Plugin (KSP). KSP allows deep customization of smartphone and tablet features and settings directly from their existing mobile device management (MDM) solution. With the Knox Service Plugin, enterprises can take advantage of Samsung features as soon as they’re available, instead of waiting for MDM vendors to update their products to add support. KSP allows IT managers to have the bleeding edge features on Samsung devices from day one. This lets us deliver new innovations to enterprises without waiting for the rest of the world to catch up.

The breadth and depth of unique features within KPE shows Samsung understands the complexity around enterprise mobile device deployments. We’re giving enterprise IT the tools to manage it all through holistic solutions that work together to simplify your job, and save you money and headaches down the road.

Learn how to build a cyber incident response plan in our free white paper, and get to know the whole Knox Suite of mobility management solutions.

Avatar photo

Posts By

David Thomson

David Thomson is a security expert who started his career working on Department of Defense contracts. His projects focused on protected classified data on Linux-based workstations and network appliances. He came to Samsung Research America in 2013 as a security engineer and helped bring Security Enhanced Linux (SELinux) protections to the Android OS. He has since worked as Product Manager for the core Knox security platform and now supports the Knox software and support sales team at Samsung Electronics America.

View more posts by David Thomson